b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Transcription

1 INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a. We can do something similar for finite fields. Let F q be the finite field with q elements, let g be a generator of F q. Then every element b F q can be written as b = g a, and we define a = L g (b). L g (b) is the discrete logarithm of b to the base g. It is only defined modulo q 1, because g q 1 = 1. The security of cryptosystems using discrete logarithms is based on the assumption that it is computationally hard or impossible to find the discrete logarithm a = L g (b) given g and b. Currently, the size of q, for which discrete logarithms can be calculated, is about the same as the size of integers, which can be factored: between 100 and 150 digits. As with all logarithms the discrete logarithm turns products into sums, i.e., we have the rule: L g (bc) L g (b) + L g (c) mod q 1. Examples: 1 Typeset by AMS-TEX

2 2 1. Let us consider the field F 17. g = 3 is a primitive root modulo 17, hence a generator of F 17. Let us find L 3 (15). We have to compute th powers of 3 modulo 17: 3, 3 2 = 9, 3 3 = 10, 3 4 = 13, 3 5 = 5, 3 6 = 15, hence L 3 (15) = We take F 8 = F 2 [x]/(x 3 + x + 1). Here q = 8, hence q 1 = 7, and therefore every g 1 is a generator of F 8. Let us take g = x and try to find L x (x 2 + 1). We compute the powers of x modulo x 3 + x + 1, i.e., we are replacing x 3 by x + 1: x, x 2, x + 1, x 2 + x, x 2 + x + 1, x 2 + 1, so L x (x 2 + 1) = 6. The finite fields F 2 n are used very often in cryptography, because it is quite easy to calculate products, as we will see. The field F 2 8 = F 2 [x]/(x 8 + x 4 + x 3 + x + 1) is used e.g. in the so-called Advanced Encryption System (AES) of Rijndael. Every element in F 2 n = F 2 [x]/(p(x))), p(x) an irreducible polynomial of degree n, can be represented by a polynomial f(x) = a n 1 x n 1 + a n 2 x n a 1 x + a 0 of degree n 1. The coefficients a i are in F 2, so equal to either 0 or 1. We can represent f(x) by the vector (a n 1 a n 2 a 1 a 0 ) F n 2. If g(x) is another polynomial of dregree n 1, represented by (b n 1 b n 2 b 1 b 0 ), then the sum f(x) + g(x) is simply obtained by adding the coefficients modulo 2. This addition is usually denoted by and also called XOR, which stands for Exclusive Or. But it is simply addition of vectors in F n 2. In logic, if p and q are two statements, then the truth of pxorq is determined by the following truth table: p q pxorq F F F F T T. T F T T T F

3 In other words pxorq is true if one of p and q is true, but not both. If we replace T by 1 and F by 0, then the table describes precisely the addition In F 2. This explains the notation. In order to multiply two polynomials of degree n 1 in F 2 n, it suffices to describe the multiplication of f(x)) by x: This is done as follows: We have which we represent as a vector in F n+1 2 : Now f(x) x is represented by p(x) = x n + c n 1 x n c 1 x + c 0, (1 c n 1 c n 2 c 1 c 0 ). (a n 1 a n 2 a 1 a 0 0) F n+1 2, which is simply obtained from the vector for f(x) by a shift to the left and adding 0 at the end. If a n 1 = 0, hence f(x) is of degree n 2, then we simply omit the first entry and get the vector for f(x) x. If, however a n 1 = 1, then we XOR with (1 c n 1 c n 2 c 1 c 0 ): (1 a n 2 a 1 a 0 0) (1 c n 1 c n 2 c 1 c 0 ). The first entry is now equalto 0, which we drop. Example: We consider F 16 = F 2 [x]/(x 4 + x 3 + 1)). Here p(x) = x 4 + x is irreducible (check!) of degree 4, and represented by p(x) (11001). We want to compute (x 3 + x + 1))(x 2 + 1) in F 16. We take Then We add p(x) to obtain We multiply again by x to obtain f(x) x 2 : which we XOR with (11001) to obtain Now we simply add f(x): We obtained: in F 16, i.e., modulo x 4 + x f(x) = x 3 + x + 1 (1011). f(x) x (10110). (10110) (11001) = (01111)) (1111). (1111) (11110), f(x) x 2 (0111). (0111) (1011) = (1100). (x 3 + x + 1))(x 2 + 1) = x 3 + x 2 We will discuss 3 different systems, whose security is based on discrete logarithms: The ElGamal Public Key Cryptosystem, the Diffie-Hellman Key Exchange and the ElGamal Signature Algorithm. 3

4 4 The ElGamal Public Key Cryptosystem Here is the description of the system: Bob chooses a finite field F q and a generator g of F q. He also chooses an integer a and computes b = g a. The triple (F q, g, b) is public, but the discrete logarithm a = L g (b) is only known to Bob. If Alice wants to send a message m < q to Bob, then she proceeds as follows: She first chooses a random integer k and computes r = g k and t = mb k in F q. She sends the pair (r, t) to Bob. To read the message Bob computes t r a = mb k (g k ) a = m b k b k = m. Since k is random, so is t = b k m, hence t does not provide any knowledge about m. If discrete logarithms are hard to compute, Eve will not be able to compute k from the knowledge of r, so she cannot recover m from t. Example: Assume Bob s public ElGamal system is (F q, g, b) = (F 23, 7, 4), and that he receives the pair (r, t) = (21, 11)) from Alice. To continue we have to know, what Bob knows, namely a = L 7 (4). We compute the powers of 7: 7, 7 2 = 3, 7 3 = 21, 7 4 = 9, 7 5 = 17, 7 6 = 4, so that a = L g (b) = 6. Now it is easy to find the message m by computing m = = = = 11 9 = 7. How did Alice do her part of the calculation? Her random number was k = 3, since 7 3 = 21 = r. She then computed t = b k m = = 11. A similar idea is behind the following key exchange: The Diffie-Hellman Key Exchange Bob and Alice want to agree on a secret key, which they can then use in a symmetric cryptosystem. They do the following: 1. They choose a field F q and a generator g of F q, which are public. 2. Alice chooses a random x F q, Bob chooses a random y F q. 3. Alice sends g x to Bob, and Bob sends g y to Alice.

5 4. Their secret key now is g xy, which Alice computes as (g y ) x, and Bob computes as (g x ) y. Example: Bob and Alice agree on the field F 31 and g = 3. Alice sends the number 26 to Bob and Bob sends the number 13 to Alice. Let us pretend now that we are Alice. Then we know that we obtained 26 as 3 5 in F 31, hence the random number x equals 5. We now obtain from Bob the number 13. We compute the key to be 13 5 = 6. Bob does a similar calculation: He knows that 13 = 3 11, so y = 11. He computes the key via = 6. 5 The security of the Diffie-Hellman Key Exchange depends on the assumption, that the following problem is computationally very hard: Computational Diffie-Hellman Problem:. Given g x and g y in F q, find g xy. Of course, if one can compute discrete logarithms, then there is no problem: compute x from g x, and then (g y ) x. It is not known whether the converse is true as well, i.e., whether a solution to the Computational Diffie-Hellman Problem produces a solution to the discrete logarithm problem. However, we will show that a solution to the Computational Diffie- Hellman Problem is equivalent to a successful attack on the ElGamal cryptosystem. Proposition 5.1. A solution to the Computational Diffie-Hellman Problem is equivalent to breaking the ElGamal System. Proof. Let us first assume that we have an algorithm, which always computes g xy from g x and g y. We then take as input g x = b(= g a ) and g y = r(= g k ), where b and r are the known quantities from the ElGamal System. The algorithm will then compute g xy = g ak. Since m = tr a = tg ak we find m. Conversely, let us assume that we have an algorithm, which computes m = tr a from a given pair (r, t) associated to the triple (F q, g, b). We then take as input b = g x, so a = x, and r = g y, t = 1. Then the algorithm produces m = tr a = g yx. The ElGamal Signature Scheme Recall that Bob is supposed to sign a document m. He chooses the triple (F q, g, b), which is public. Only he knows a = L g (b). He now chooses a random integer k, relatively prime to q 1: gcd (k, q 1) = 1,

6 6 and computes the following quantities: r = g k s k 1 (m ar) mod q 1 His signature is now the pair (r, s), which he attaches to the document m. So he sends (m, r, s) to Alice. How can Alice verify that the signature had to come from Bob, since only he knows the discrete logarithm a? She computes b r r s and g m. She accepts the signature if the two quantities are equal i.e., if b r r s = g m. Let us check: We have b r = g ar and r s = g ks, so that the left-hand side equals g ar+ks, which equals g m, since ar + ks m mod q 1 by definition of s. Example: We take the triple (F 17, 3, 11). Only Bob knows that mod 17, so that a = 7 in our notation. The message is m = 2. The random choice of Bob turns out to be k = 5. He computes r = g k = 3 5 = 5 in F 17. He now needs k 1 = 5 1 mod 16, which equals 13. He continues to compute He now sends the signed document to Alice. s = k 1 (m ar) = 13(2 7 5) 3 mod 16. (m, r, s) = (2, 5, 3) Alice verifies the signature using the verification in F 17. In our example this means b r r s = g m mod 17,

7 7 which is easily seen to be correct. One has to be careful with the range of r. If we allow r to be any integer modulo p, then Eve can copy Bob s valid signature (r, s) for the document m to any other document: To see this, let m be another document. Then m = m u mod p for some u. The Chinese Remainder Theorem allows to solve the following congruences: r ru mod p 1 and r r mod p. The solution r will be in the range 0 r p(p 1). Finally, we set s su mod p 1. We claim that (m, r, s ) passes the verification test, hence the signature (r, s ) would be accepted by Alice as a valid signature to the document m. We have to check that b r (r ) s g m mod p. This reads b ru r su g mu mod p, which holds, since it is simply the u-th power of the verification for (m, r, s). It is easy to avoid this problem by insisting that 0 r p 1. Example: We look at the previous example, where the given triple was (F 17, 3, 11), the message was m = 2 and the signature was (r, s) = (5, 3). Eve wants to attach Bob s signature to the document m = 4 = 2m. Here u = 2, and Eve has to solve the congruences r 2r = 10 mod 16 and r r mod 17. The result is r = 90. Eve also computes s = su = 6. She now sends the signed document (m, r, s ) = (4, 90, 6) to Alice. Alice verifies that mod 17 and accepts the signature. Bad luck for Bob, who just agreed with his falsified signature to make a substantial payment into Eve s account. We now turn to algorithms that compute discrete logarithms in certain cases:

8 8 The Pohlig-Hellman Algorithm We start with a finite field F q and a generator g of F q. Given b F q we try to find its discrete logarithm with respect to the generator g, i.e., we try to solve the equation b = g x in F q. We first observe that by the Chinese Remainder Theorem finding x modulo q 1 is equivalent to finding x modulo p r i i for i = 1, 2,, t, where q 1 = is the factorization of q 1 into a product of powers of distinct primes p i. The Pohlig- Hellman Algorithm computes x mod p r i i for each prime p i, so that we can concentrate now on a given prime power dividing q 1. We will denote this prime power by l r and not by p r to avoid confusion in the case where q = p. So l r is now a prime power dividing q 1 and r is as large as possible. To determine x modulo l r, we will determine the coefficients x i, 0 x i l 1, in the following l-expansion of x modulo l r : x x 0 + x 1 l + x 2 l x r 1 l l 1 mod l r, 0 x i l 1 for i = 1, 2,, r 1. t i=1 p r i i To start the algorithm we observe that and therefore x( q 1 l ) x 0 ( q 1 l ) + x 1 ( q 1 l b q 1 l = g x q 1 l )l + x 0 ( q 1 ) mod q 1, l = g x 0 q 1 l. We now make a list of the following l distinct powers of g: a k,l := g k q 1 l for k = 0, 1,, l 1. A comparison between b q 1 l and the members of the list then determines x 0. If r 2, then we continue as follows: We define As above we now compute b 1 = bg x 0 = g x 1l+x 2 l 2 + +x r 1 l l 1. q 1 l b 2 1 = g x q 1 1 l, which we compare with the list to determine x 1. Assume now that we have determined x 0, x 2,, x i 1 for some i r 1, and that we have defined b, b 1,, b i 1. We continue as follows:

9 9 Define and compute b i = b i 1 g x i 1l i 1 b q 1 l i+1 i = g x il i + +x r 1 l l 1 = g x i which we compare with the list to determine x i. The Pohlig-Hellman Algorithm works well if the prime divisors of q 1 are relatively small. q 1 l, Example: We take q = p = 37 and g = 2. We want to find We have and b = 28. L 2 (28). q 1 = 36 = We first take l = 2, r = 2 : The list is easy to compute: a 0,2 = 1, a 1,2 = 2 18 = 1. We now compute which shows that x 0 = 0. We have b 1 = b and compute which shows that x 1 = 1, hence b q 1 l = = 1, 28 9 = 1, x x 0 + 2x 1 2 mod We now take l = 3, r = 2: The list is given by a 0,3 = 1, a 1,3 26 mod 37 a 2,3 10 mod 37, since a 1,3 = = mod 37 and a 2,3 = 2 3 = mod 37. We now compute which shows that x 0 = 1.Now b q 1 l = equiv26 mod 37, b 1 = b 2 1 = mod 37,

10 10 and we compute which implies x 1 = 2. Therefore q 1 l b 2 1 = mod 37, x = 7 mod 9. From the Chinese Remainder Theorem we finally obtain x 34 mod 36. The next algorithm is based on a completely different idea: Again we want to solve Baby step Giant step Algorithm b = g x in a finite field F q. Let N = [ q 1] + 1 and make two lists: Baby step Giant step g 0 g 1 g 2. g N 1 b bg N bg 2N. bg (N 1)N Now we are looking for a match between the two lists: If we find that g j = bg kn, then b = g j g kn = g j+kn, and we found x. We now claim that there has to be a match: Note that by definition of N: 0 x < q 1 N 2,

11 11 and therefore x can be written as with x 0, x 1 N 1. This implies that x = x 0 + x 1 N b = g x = g x0 g x 1N, hence is a match between g x 0 g x 0 = bg x 1N from the Baby step list and bg x 1N from the Giant step list. This algorithm needs roughly 2 q calculations, which have to be stored. This becomes infeasible for values of q, which are larger than Example: We look at the same example as before: q = 37, g = 2, b = 28. Here N = 7 and the two lists are Baby step Giant step We find a match which again yields mod 37, mod 37. The last algorithm we are discussing is not restricted to solving discrete Log problems, but is a rather universal method of attack based on the so-called Birthday Paradox: The Birthday Paradox The simple question we are trying to answer is: How many people have to be in a room, so that the probability that two of them have the same birthday is 50%. Let us review some elementary probability theory: We choose a finite non-empty set S, the sample space, which will serve as the set of possible outcomes of an experiment. Any s S will be an elementary event, and any subset A of S will be an event, in other words the set of all events is P (S), the set of all subsets of S. As an example we can take S = {1, 2, 3, 4, 5, 6}

12 12 as the sample space for the event of throwing a dice. Then A = {1, 3, 5} would be the event that the result is an odd number. Attached to every experiment is a probability distribution, which assigns to each event A the probability, that it occurs. In other words, we have a function p : P (S) [0, 1] satisfying the following properties: if A and B are disjoint. It is clear that p(s) = 1, p(a B) = p(a) + p(b) p(a) = s A p(s) for any event A. p is called uniformly distributed if for any elementary event a. p(a) = 1 S To study the birthday problem, we will assume that there are N = 365 possible birthdays. We also assume that the possible birthdays are uniformly distributed. Let us consider the case that r people are in a room. The sample space S will consists of all r-tuples of possible birthdays, hence S = N r. Instead of looking at the event A that two people have the same birthday, we look at the event E that no two people have the same birthday i.e., at E = A. We have E = {(b 1,, b r ) S b i b j for all i j}. Now for an element (b 1,, b r ) in E we have N possible choices for b 1, N 1 possible choices for b 2, etc., and finally N r + 1 possible choices for b r. Hence and therefore E = N(N 1)(N 1) (N r + 1), p(e) = 1 i=r 1 N r (N i) = i=0 i=r 1 i=0 (1 i N ). If se use the inequality 1 + x e x, which holds for all x (a simple proof is to note that y = 1 + x is the tangent to the function e x at x = 0, and this tangent lies below the curve, since e x is concave up), then we obtain p(e) e P r 1 i=1 i N = e 1 N r(r 1) 2 e r2 2N.

13 13 The last estimate holds for large N and r N, since then e r 2N 1. We want to have p(e) 1 2. We can take logarithms ln p(e) 1 N r(r 1), 2 and solve the equation This shows that if 1 N r(r 1) 2 = ln 2. p(e) 1 2, hence p(a) 1 2, r Nln 2. Our original problem is then answered as follows: If there are at least 23 people in a room,then the probability, that 2 have the same birthday, is larger than 50% The probability increases to 89%, if r = 40. The main result of the birthday paradox is, that there is a good chance of a match if r N, and that the probability increases if r 2 N, 3 N,, i.e., it suffices to take r to be a constant times N to obtain a good chance for a match. Example: Assume that you are looking at the 3-digit numbers on the licence plates, while you are stuck in slow traffic. How many licence plates do you have to observe before you find a match with a 50% chance? Here N = 1, 000, and if we use the approximation p(a) = 1 e r2 2N, then r should be larger or equal to 2 ln 2 N So, if you observe 38 licence plates, then the chance of finding a match exceeds 50%. The application of the birthday paradox to cryptography is slightly different and analogous to the following question: Suppose there are 2 rooms and 30 people in each of them. How large is the probability that there is a match of a birthday between two people in different rooms? In general, we have N choices and r people in 2 groups. It can be shown that the probability for a match between two different groups is then given by p(a) = 1 e r2 N.

14 14 If we take, for example, N = 365 and r = 30, then a match of birthdays in the two groups occurs with probability p(a) = 1 e In cryptography we are going to produce randomly two lists, each of length r, from N possibilities. This is then called a birthday attack. The probability for a match betweeen the two lists is then 1 e r2 N, hence about 63% if r N and about 98% if r 2 N. Let us first consider the birthday attack on discrete logarithms: As before we want to solve in a finite field F q. Let and make two lists: b = g x N q List 1 List 2 g i 1 bg j 1 g i 2 bg j 2. g i N. bg j N where the exponents i k and j k of g are randomly chosen in both lists. Now we are looking for a match between the two lists, which would solve the problem. This is of course not more efficient than the Baby Step Giant Step method, because both pro0duce lists of about the same length ( q), but the Baby Step Giant Step method guarantees a match, whereas the birthday attack is probabilistic. We will see, however, that the birthday attack is very useful in various other situations. Hash functions Assume we want to attach a digital signature to a very long legal document m. Since the signature is at least as long as m, this seems to be infeasible. We would rather sign a compressed shorter version of the document, if we are not jeopardizing security. These leads to the notion of Hash functions. Definition: A hash function h is a function, which maps messages m of arbitrary length to a message digest h(m) of fixed length: h : {all messages} {message digests of length N}

15 and satisfies certain properties: 1. h should be easy to compute. 2. h should be one-way (preimage resistant), which means that it is hard to find an inverse image of a message digest y. 3. h should be strongly collision free i.e., it is computationally impossible to find a collision i.e., a pair (x, x ) with x x so that h(x) = h(x ). Sometimes it is sufficient to weaken property 3. and simply require that h is weakly collision free i.e., given x it is computationally impossible to find a collision (x, x ). Here is an easy example of a hash function. It does not satisfy properties 2. and 3., but the principle is used in more sophisticated hash functions: Fix an integer N. Any message m, which we assume to be represented as a number of arbitrary size, is first divided into individual blocks of length N: m = (m 1 m 2 m r ). Each block m i is then simply a row vector of length N: m i = (m i1, m i2,, m in ), and the message m can now be represented by a matrix m 11 m m 1N m 21 m m 2N.... m r1 m r2... m rn The value h(m) of the hash function is now simply the vector of length N obtained by adding up the values in each column of the matrix: h(m) = ( r m i1, i=1 r m i2,, i=1 r m in ). It is obvious that we can run a birthday attack on a given hash function to try to produce a collision. If the number of possible outputs of the hash function is equal to N, then we can compute a list of N hash values h(x) for randomly chosen x. There is then a good chance to find a collision, and we can make the probability very high by producing e.g. a list of 5 N hash values. To avoid a successful birthday attack, N has to be large enough to make the computation and storage of all the values impossible, say N i=1 15

16 16 There are various commercially used hash functions available, e.g. SHA-1 and its successor SHA-2, developped by the National Security Agency (NSA). Here SHA stands for Secure Hash Algorithm. It is usually known which hash function is used to produce a message digest. As we pointed out already, hash functions are very useful for digital signatures. Instead of signing a long document m, Bob signs a hash value h(m). Eve will not be able to use the same signature on the hash value h(m ) = h(m) of a different document m, because the hash function is assumed to be weakly collision free. Another use of hash functions is to control if data have been changed during transmission, either by Eve or by errors in the transmission. If Alice wants to send data to Bob, she can send a pair (m, h(m)), which Bob will receive as (M, H), say. Bob can simply check if h(m) = H, in which case he will assume that he got the correct data, again because collisions are hard to obtain. Most of the hash functions in use are not proven to be collision free. Here is an example of a hash function, which is strongly collision free if discrete logs are impossible to compute: Example: We choose a prime number p, so that l := p 1 2 is also a prime number. Examples are p = 7, 11, 23, 47,..., but it is not known if there are in fact infinitely many of this form. We choose a primitive root g modulo p and an element b = g a F p. The hash function is defined as h : Z/l 2 Z Z/pZ, h(x 0 + x 1 l) = g x 0 b x 1, where we write any x Z/l 2 Z, 0 x l 2 1, as x = x 0 + x 1 l with 0 x 0, x 1 l 1, i.e., we are using the l-adic expansion of x. Assume now that we find a collision (x, x ) for the hash function h. This means that we have x = x 0 + x 1 l and x = x 0 + x 1l, so that x x and hence h(x) = h(x ), g x 0 b x 1 = g x 0 b x 1. Now b = g a, and therefore comparing the exponents we obtain x 0 + ax 1 x 0 + ax 1 mod p 1 or x 0 x 0 a(x 1 x 1 ) mod p 1.

17 17 If x 1 = x 1, then we would have x 0 x 0 0 mod p. But p = 2l, and therefore we would obtain x 0 x 0 mod l, hence x 0 = x 0, which contradicts the fact that x x. We conclude that x 1 x 1, and therefore we can solve the congruence for a: Let d denote the greatest common divisor of x 1 x 1 and p 1. Since p 1 = 2l, there are only 4 divisors of p 1, hence d can only be equal to 1, 2, l, 2l. We want to rule out the possibilities that d = l or d = 2l. We note that 0 x, x l 1, and therefore l < x x < l, so that the only possible values for d are 1 and 2. Hence the congruence x 0 x 0 a(x 1 x 1 ) mod p 1 has at most two solutions. If we have two solutions a 1 and a 2, then we simply compute g a 1 and g a 2 and compare with b to obtain a. We see that if we can find a collision, then we can find the discrete logarithm of b.